RE: [SQU] Hiding the name and version of squid in the error messa ge

Hi,
I don't know if you can disable the %s in the error pages but a simple
telnet to the Squid port will also give the information that you want to
hide.

telnet xxx.xxx.xxx.xxx 80
get
HTTP/1.0 400 Bad Request
Server: Squid/2.3.STABLE4
^^^^^^^^^^^^^^^^^^^^^^^^^
Mime-Version: 1.0
Date: Mon, 05 Mar 2001 19:33:46 GMT
Content-Type: text/html
Content-Length: 824
Expires: Mon, 05 Mar 2001 19:33:46 GMT
X-Squid-Error: ERR_INVALID_REQ 0
  ^^^^^

As far as I can tell Netscape-Proxy and MSProxy also disclose their names
and versions.
Regards,

Bruno Guerreiro

-----Original Message-----
From: Joe Erlewein [mailto:IS_JRERL@mhc.net]
Sent: Segunda-feira, 5 de Março de 2001 18:21
To: hno@hem.passagen.se; kareem@tri.net.sa
Cc: squid-users@ircache.net
Subject: Re: [SQU] Hiding the name and version of squid in the error
message

Hello,
In the professional environment I intend to implement this cache solution,
this is very unacceptable.
Linux has been a long-outlawed OS here, and with this recent opportunity to
use something like it,
My objective it so make it as bulletproof as possible. In order to do this,
I need to be sure that the system CANNOT be identified to outside (or
inside) users/hacks.

Thus, the proposed hiding of the cache name / version appears good, but
anyone can click "view source" and have a field day.

Is there a way to reassign the value reported by %s, or is there a way
(possibly recompiling?) to disale the addition of %s if it is undefined?
ie: stop the default signature from being added.

I'd hate to leave an open invitiation to the possibility of compromise, and
am actually considering scrapping squid altogether for something commercial
based on this one fatal flaw.

I'm hoping for a workaround, as personally I'd rather use Linux/Squid, but
professionally I'm simply not willing to take the risk...

Joseph R. Erlewein, N8OUZ
Intern, Networking
Munson Healthcare

>>> Henrik Nordstrom <hno@hem.passagen.se> 2/14/2001 3:55:20 PM >>>
You cannot completely hide it, but you can put it inside a HTML comment
making it less obvious to the user..

Exampel custom signature: (add it to the end of each error page)

<br clear="all">
<hr noshade size=1>
Generated %T
<!-- %h (%s) -->

Unless the error page includes "%s" (Squid name and version) the default
signature will be added.

Note: If you prefer to have the datestamps using your local timezone,
then use %t instead of %T above.

--
Henrik Nordstrom
Squid hacker
Kareem Mahgoub wrote:
> 
> Hi all
> I would like to know if there is a way to hide the version and the name of
> squid, on all error messages.
> I have checked in the FAQ and I found how to change all the parameters but
> not the name and the version that appears in the last line of the error
> message.
> Any help would be appreciated.
> Regards,
> Kareem Mahgoub
> 
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html 
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html 
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html